Guest User

Defeat Hackers with Biomimicry

From denial of service attacks to server crashes to day-long disruptions of Google Drive, almost all organizations are familiar with threats to their information security. Given that digital information is more central than ever, it’s worrisome that the history of data security is littered with failure. Organizations seeking to be better prepared for and more resilient in response to information threats may want to draw on a far larger and older source of lessons on information security — the 3.5 billion year history of life. Tapping into biology’s security database — which was developed by millions of species in response to extremely complex natural security problems — gives us first a wakeup call, then some practical guidance on how to keep our information secure.

The wakeup call concerns our assumptions about the borders, barriers, and firewalls we construct in a valiant attempt to protect our data. In nature, barriers — between organic and inorganic chemicals, between land and sea, between species, between everything — have been built, tested, overcome, rebuilt, and overcome again with almost endless repetition. Barriers — be they cell walls, border walls, or firewalls — are at best a temporary imposition to an invader. In the same way that tightly controlled unicellular life eventually evolved into more open and distributed multicellular life, the rapid evolution of cyber threats has outpaced the evolution of defensive barriers.

The lesson is simply that modern organizations should work under the basic assumption that almost anything electronic is now open source. My colleagues in climate science learned this the hard way when politically motivated hackers stole and released thousands of emails sent among scientists. Not only did sensitive data and preliminary analyses methods leak out, but the petty interpersonal spats and behind-the-back sniping that probably appear in all email chains were revealed in all their unappealing light.

So how do we operate in an effectively open-source world without barriers? Here biology offers some get-off-your-ergonomic-chair-and-do-something advice.

The biological world is also open source in the sense that threats are always present, largely unpredictable, and always changing. Because of this, defensive measures that are perfectly designed for a particular threat leave you vulnerable to other ones. Imagine if our immune system were designed to deal only with a single strain of flu. In fact, our immune system works because it looks for the full spectrum of invaders — low-level viral infections, bacterial parasites, or virulent strains of a pandemic disease. Too often, we create security measures — such as the Department of Homeland Security’s BioWatch program — that spend too many resources to deal specifically with a very narrow range of threats on the risk spectrum.

Advocates of full-spectrum approaches for biological and chemical weapons argue that weaponized agents are really a very small part of the risk and that we are better off developing strategies — like better public-health-response systems — that can deal with everything from natural mutations of viruses to lab accidents to acts of terrorism. Likewise, cyber crime is likely a small part of your digital-security risk spectrum.

A full-spectrum approach favors generalized health over specialized defenses, and redundancy over efficiency. Organisms in nature, despite being constrained by resources, have evolved multiply redundant layers of security. DNA has multiple ways to code for the same proteins so that viral parasites can’t easily hack it and disrupt its structure. Multiple data-backup systems are a simple method that most sensible organizations employ, but you can get more clever than that. For example, redundancy in nature sometimes takes the form of leaving certain parts unsecure to ensure that essential parts can survive attack. Lizards easily shed their tails to predators to allow the rest of the body (with the critical reproductive machinery) to escape. There may be sacrificial systems or information you can offer up as a decoy for a cyber-predator, in which case an attack becomes an advantage, allowing your organization to see the nature of the attacker and giving you time to add further security in the critical part of your information infrastructure.

In the end, we are only vulnerable to digital information threats because we are so dependent on digital information. We have, by choice and not, become enmeshed in an escalation toward ever more technological reliance. Yet sometimes technology that starts as an adaptation becomes maladaptive. Retroviruses, such as HIV, use the technology of our immune system against us. The BBC made a modern recreation of the Domesday Book in the 1980s, smartly storing it on high-tech (for the 1980s) laser discs, which are now less accessible than the original book from 1086, which was written on parchment.

Faced with continued technological escalation, the best strategy can simply be to step aside. Many successful organisms have split off from their species’ escalatory pathways, so that the planet now has flightless birds, stingless bees, and rattle-less rattlesnakes. There are models in our past of how to work without information technology. News reporters, in the wake of the recent Justice Department blanket raid of AP phone records, are watching All the President’s Men again and realizing the best way to talk with a source is not by email or text, but in a shadowy parking garage. I recall pulling out a notebook to jot some ideas during a meeting I had at the venerable Cosmos Club in Washington, DC. I was quickly and discretely chastised by my host, who informed me that one does not take notes in the Cosmos Club. No one would say this rule has hampered the many expeditions supported, deals created, and confidences shared in the Club’s 135-year history, but it has preserved their integrity in a perpetually leaky city. Yahoo’s decision to put a stop to employee telecommuting was made for many reasons (which vary depending on who you ask), but one of the underappreciated benefits is that it adds to the company’s security by requiring fewer online conversations about new technologies and acquisitions. Not to mention petty spats between employees; now those are presumably carried out the old-fashioned way, in whispered hushes at the water cooler.

There are organisms that avoid security problems altogether. Certain deep-sea animals are so far removed from any competition that they live quite easily in their isolation. Unfortunately, they don’t evolve and change, they don’t transform resources or innovate — in fact, they don’t do much of anything. Provided you want your organization to grow and innovate, you can’t reject technology altogether and you can’t wall yourself off from all threats. The best bet is to do what the most successful organisms on Earth do — accept the risk and adapt to the changes.